Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ybTl3LTl4aDItd3hjM80sSA
Link Following in Jenkins Pipeline Multibranch Plugin
Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
Permalink: https://github.com/advisories/GHSA-2m9w-9xh2-wxc3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ybTl3LTl4aDItd3hjM80sSA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 12 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-2m9w-9xh2-wxc3, CVE-2022-25179
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25179
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
- https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json
- https://github.com/advisories/GHSA-2m9w-9xh2-wxc3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins.workflow:workflow-multibranch
Affected Version Ranges: >= 706.vd43c65dec013, < 707.v71c3f0a, >= 696.v52535c46f4c9, < 696.698.v9b4218eea50f, < 2.23.1, >= 2.24, < 2.26.1Fixed in: 707.v71c3f0a, 696.698.v9b4218eea50f, 2.23.1, 2.26.1